Document consequences of ssh-agent being setgid in ssh-agent(1); see

#711623.
author: Colin Watson <cjwatson@debian.org> 2013-06-08 22:18:07 +0100
committer: Colin Watson <cjwatson@debian.org> 2013-06-08 22:18:07 +0100
commit: 074489e1e6e97c75d87750035dbaf8c693e9736e (patch)
tree: 838e11a456ea7152c71417acd2c71060dc6c7707 /debian/patches/ssh-agent-setgid.patch
parent: 04603e44daf10700cc3d987e4119efd9a30bb259 (diff)
1 files changed, 32 insertions, 0 deletions
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
new file mode 100644
index 000000000..7e909a165
--- /dev/null
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -0,0 +1,32 @@
+Description: Document consequences of ssh-agent being setgid in ssh-agent(1)
+Author: Colin Watson <cjwatson@debian.org>
+Bug-Debian: http://bugs.debian.org/711623
+Forwarded: no
+Last-Update: 2013-06-08
+Index: b/ssh-agent.1
+===================================================================
+--- a/ssh-agent.1
+++ b/ssh-agent.1
+@@ -182,6 +182,21 @@
+ .Pp
+ The agent exits automatically when the command given on the command
+ line terminates.
+.Pp
+In Debian,
+.Nm
+is installed with the set-group-id bit set, to prevent
+.Xr ptrace 2
+attacks retrieving private key material.
+This has the side-effect of causing the run-time linker to remove certain
+environment variables which might have security implications for set-id
+programs, including
+.Ev LD_PRELOAD ,
+.Ev LD_LIBRARY_PATH ,
+and
+.Ev TMPDIR .
+If you need to set any of these environment variables, you will need to do
+so in the program executed by ssh-agent.
+ .Sh FILES
+ .Bl -tag -width Ds
+ .It Pa ~/.ssh/identity
author	Colin Watson <cjwatson@debian.org>	2013-06-08 22:18:07 +0100
committer	Colin Watson <cjwatson@debian.org>	2013-06-08 22:18:07 +0100
commit	074489e1e6e97c75d87750035dbaf8c693e9736e (patch)
tree	838e11a456ea7152c71417acd2c71060dc6c7707 /debian/patches/ssh-agent-setgid.patch
parent	04603e44daf10700cc3d987e4119efd9a30bb259 (diff)

diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch new file mode 100644 index 000000000..7e909a165 --- /dev/null +++ b/debian/patches/ssh-agent-setgid.patch
@@ -0,0 +1,32 @@
	1	Description: Document consequences of ssh-agent being setgid in ssh-agent(1)
	2	Author: Colin Watson <cjwatson@debian.org>
	3	Bug-Debian: http://bugs.debian.org/711623
	4	Forwarded: no
	5	Last-Update: 2013-06-08
	6
	7	Index: b/ssh-agent.1
	8	===================================================================
	9	--- a/ssh-agent.1
	10	+++ b/ssh-agent.1
	11	@@ -182,6 +182,21 @@
	12	.Pp
	13	The agent exits automatically when the command given on the command
	14	line terminates.
	15	+.Pp
	16	+In Debian,
	17	+.Nm
	18	+is installed with the set-group-id bit set, to prevent
	19	+.Xr ptrace 2
	20	+attacks retrieving private key material.
	21	+This has the side-effect of causing the run-time linker to remove certain
	22	+environment variables which might have security implications for set-id
	23	+programs, including
	24	+.Ev LD_PRELOAD ,
	25	+.Ev LD_LIBRARY_PATH ,
	26	+and
	27	+.Ev TMPDIR .
	28	+If you need to set any of these environment variables, you will need to do
	29	+so in the program executed by ssh-agent.
	30	.Sh FILES
	31	.Bl -tag -width Ds
	32	.It Pa ~/.ssh/identity